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(54) System and method for providing safe SQL-level access to a database 

(57) A distributed computer system has an informa- 
tion server and a plurality of client computers coupled 
by one or more communication paths to the information 
server. The information server includes a database 
management system (DBMS) with an interface proce- 
dure for receiving and responding to SQL statements 
from client computers. At least one client computer has 
a database access procedure for sending SQL state- 
ments to the DBMS in the information server. The data- 
base access procedure includes embedded encrypted 
SQL statements, representing a predefined subset of a 
predefined full set of SQL statements recognized as 
legal SQL statements by the DBMS. For instance, the 
predefined subset of SQL statement might include only 
SQL statements for reading data in the DBMS, but not 
include SQL statements for modifying and adding data 
to the DBMS. Each of the SQL statements sent by the 
database access procedure to the DBMS includes a 
corresponding one of the encrypted SQL statements. 
The DBMS in the information server includes an inter- 
face procedure for processing all SQL statements 
received from client computers, including a decoding 
procedure for decoding the encrypted SQL statement 
included in the SQL statements sent by the database 
access procedure in the one client computer. The 
received SQL statement is executed by the DBMS only 
if the decoded SQL statement is a legal SQL statement 
In addition, the interface procedure rejects received 
SQL statements that do not include an encrypted SQL 
statement 
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Description 

The present invention relates generally to systems 
and methods for enabling remote client computers to 
access data in a database server using standard SQL- s 
level statements, and particularly to a system and 
method for enabling remote, untrusted client computers 
to access data in a database server using only a prede- 
fined subset of the possible SQL statements and for 
blocking the usage of all other SQL statements by the 10 
remote, untrusted client computers. 

BACKGROUND OF THE INVENTION 

The present invention is designed to solve the fol- is 
lowing problem. Suppose you have a database and a 
database management system (DBMS) for controlling 
use of that database. Furthermore, you want to allow 
remote, untrusted clients to access the database. The 
problem is that while you want the remote untrusted cii- 20 
ents to be able to use some SQL statements, there are 
other SQL statements that you don't want them to be 
able to use. For instance, you might want to allow the 
untrusted clients to read data from the database, but 
you might also want to make sure that the untrusted cii- 2s 
ents did not have the ability to modify the database. 

In addition, it is a goal of the present invention to 
allow the DBMS to accept and respond to all legal SQL 
commands, without having to distinguish between 
remote, untrusted clients and other, more trusted cii- 30 
ents. Obviously certain classes of SQL commands will 
still require special operator privileges, such as the 
commands for partitioning database tables and the like. 
But tor unprivileged SQL commands, it is the goal of the 
present , invention to provide a mechanism that allows 35 
strict limiting of the class of SQL commands that can be 
issued by remote untrusted clients to the information 
server on which the database reside, while allowing 
other clients to use a wide range of SQL commands. 

40 

SUMMARY OF THE INVENTION 

In summary, the present invention is a distributed 
computer system having an information server and a 
plurality of client computers coupled by one or more 45 
communication paths to the information server. The 
information server Includes a database management 
system (DBMS) with an interface procedure for receiv- 
ing and responding to SQL statements from client com- 
puters, so 

At least one client computer has a database access 
procedure for sending SQL statements to the DBMS in 
the information server. The database access procedure 
includes embedded encrypted SQL statements, repre- 
senting a predefined subset of a predefined full set of ss 
SQL statements recognized as legal SQL statements 
by the DBMS. For instance, the predefined subset of 
SQL statement might include only SQL statements for 
reading data in the DBMS, but not include SQL state- 



ments for modifying and adding data to the DBMS. Each 
of the SQL statements sent by the database access 
procedure to the DBMS includes a corresponding one 
of the encrypted SQL statements. 

The DBMS in the information server includes an 
interface procedure for processing all SQL statements 
received from client computers, including a decoding 
procedure for decoding the encrypted SQL statement 
included in the SQL statements sent by the database 
access procedure in the one client computer. The 
received SQL statement is executed by the DBMS only 
if the decoded SQL statement is a legal SQL statement. 
In addition, the interface procedure rejects received 
SQL statements that do not include an encrypted SQL 
statement 

BRIEF DESCRIPTION OF THE DRAWINGS 

Additional objects and features of the invention will 
be more readily apparent from the following detailed 
description and appended claims when taken in con- 
junction with the drawings, in which: 

Fig. 1 is a Nock diagram of a distributed computer 
system including client computers and an informa- 
tion server. 

Rg. 2 is a block diagram of a distributed computer 
system incorporating the secure SQL statement 
handling procedures of the present invention. 

Rg. 3 is a block diagram of a DBMS access proce- 
_j dure in accordance with the present invention. 

Rg. 4 is a flow chart of the SQL interface procedure 
used by an information server in accordance with a 
preferred embodiment of the present invention. 

Rg. 5 is a block diagram of a second version of a 
DBMS access procedure in accordance with the 
present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Fig. 1, there is shown a distributed 
computer system 100 having many client computers 
102 and at least one information server computer 104. 
In some instances a set of client computers 102 will be 
connected to the information server 104 indirectly 
through a local area network server or other gateway 
105. "Client computers'' are often called "subscribers* 
computers" and those terms will be used synonymously. 

While most client computers are desktop comput- 
ers, such as Sun workstations, IBM compatible comput- 
ers and Macintosh computers, virtually any type of 
computer can be a client computer. In the preferred 
embodiment each client computer 102 is connected to 
the information server 104 via a local or wide area net- 
work 119, although other types of communication con- 
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nections (including a connection through the Internet) 
could be used. For the purposes of this document, it will 
be assumed that each client computer includes a CPU 
106, user interface 107, and memory 108 for storing the 
DBMS access software 109 needed to retrieve data- 6 
base information from the information server 104. In 
some instances, the DBMS access software 109 may 
be stored in a file server shared by numerous client 
computers. 

The information server 104 includes a central 10 
processing unit 1 10, primary memory 112 (i.e., fast ran- 
dom access memory) and secondary memory 1 14 (typ- 
ically disk storage), a user interface 116, a 
communications interface 118 for communication with 
the client computers 102 via the communications net- is 
work 1 1 9. For the purposes of the present discussion, it 
will be assumed that the information server 104 con- 
tains a conventional database management system 
(DBMS) 130, including a set of SQL interface proce- 
dures 132 for responding to SQL statements from client 20 
computers, a catalog 134 for denoting the structure of 
all the database tables in the DBMS, a set of database 
tables 136 and a set of corresponding database index 
files 138. 

Referring to Fig. 2, in a distributed computer system 25 
200 incorporating the present invention, the untrusted 
client computers 102 have a first modified version of the 
DBMS access program 202, while trusted client com- 
puters 204 have a second modified version of the 
DBMS access program 206. The information server 210 so 
in the preferred embodiment has a modified DBMS 230. 
In particular, the modified DBMS 230 has a modified 
SQL interface 232 which utilizes an SQL statement 
decryption procedure 240, as will be descrfoed in more 
detail next The modified SQL interface 232, which is a ss 
software procedure executed by the information server, 
is sometimes called a "port" or "port procedure" 
because it acts as the port or procedure through which 
communications to and from client computers are 
routed. In some embodiments, port procedure 232, or ao 
portions of that procedure, may be a part of the informa- 
tion server that is external to the DBMS 230. 

Referring to Fig. 3, the modified DBMS access pro- 
cedure to be used by untrusted remote client computers 
contains a set of embedded constant strings 242, where as 
each of the strings is generated using a secret encryp- 
tion key: 

encrypted SQL string = Encrypt (SQL statement 
with placeholders, encryption key) 
where the "SQL statement with placeholders" includes so 

placeholder symbols such as %1, %2, %3 where 

ever any arguments would be used in the SQL state- 
ment. For instance, an SQL statement having three 
arguments may have the form 

keywordl (keyword2 %1 %2) keyword3 %3 ss 
where the symbols %1 , %2 and %3 act as placeholders 
for the three arguments. As will be explained in more 
detail below, when using this SQL statement the client 
computer will specify argument values to replace the 



placeholders in the encrypted SQL string. 

For the purposes of this document the terms 
"encrypt" and "encode" are used synonymously to 
mean a procedure to encoding information in a secure 
manner that is extremely difficult for unauthorized per- 
sonnel to replicate or reverse. Similarly, the terms 
"decrypt" and "decode"? are used synonymously to 
mean a procedure for converting encoded information 
into "cleartext". 

Any reasonably secure encryption procedure can 
be used to encrypt the SQL statements. For instance, 
the SQL statements could be encrypted using DES 
encryption, or using the private key of a publicfrrivate 
key pair using RSA encryption. When using DES 
encryption, the same key used to encrypt the SQL 
statements that are embedded in the modified DBMS 
access procedure will be used by the information server 
to decode (also called decrypt) the received SQL state- 
ments. When using RSA encryption, the private key of a 
publican vate key pair is used to encrypt the SQL state- 
ments that are embedded in the modified DBMS access 
procedure, and the corresponding public key is used by 
the information server to decode the received SQL 
statements. 

The embedded constant strings 242 (i.e., the 
embedded encrypted SQL statements) may be dis- 
persed throughout the code of the procedure 202, 206 
or may be stored in a table. The modified DBMS access 
procedure 202, 206 sends SQL statements to the infor- 
mation server as a combination of an encrypted string, 
representing the command portion of the SQL state- 
ment and an argument string, which is used to replace 
the placeholder symbols in the encrypted string when it 
is processed by the information server: 

encrypted SQL string, unencrypted argument 

string 

In the modified DBMS access procedure 202 to be 
used by remote, untrusted client computers 102, the 
only SQL statements included in the procedure 202 in 
encrypted form are a predefined subset of SQL state- 
ments authorized for use by untrusted client computers. 
On the other hand, the modified DBMS access proce- 
dure 206 to be used by remote, trusted client computers 
204, the SQL statements included in the procedure 206 
in encrypted form will be a complete, or more complete 
set of the defined SQL statements, excluding "privi- 
leged" SQL statements reserved for use only by system 
operators and the like. 

Referring to Fig. 4, the modified SQL interface 232 
and the associated SQL statement decryption proce- 
dure 240 work as follows. When the modified SQL inter- 
face 232 procedure receives a SQL statement from a 
remote client (step 250), it will generally be of the form 

SQL statement string, argument string 
where the "argument string" can include one or more 
arguments. 

The interface procedure 232 then calls the SQL 
statement decryption procedure 240 (step 252) to pre- 
process the received statement The SQL statement 
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decryption procedure attempts to decrypt the command 
portion of the received SQL statement: 

X = Decrypt (command portion of received state- 
ment, secret key) 

and then merges the received argument string, if any, $ 
with the result of the decoding (also known as decryp- 
tion) step (step 252): 

Y a X with received arguments, rf any, replacing 
any placeholders in X 

The interface procedure then checks to see if the w 
resulting string Y is a legal SQL statement (step 254). If 
not, an error message is returned to the client computer 
(256). In more sophisticated versions of the interface 
procedure, the initial received SQL statement will be 
inspected, and H the received SQL statement was an 15 
unencrypted SQL statement, then the error message 
returned to the client may indicate that the client compu- 
ter must use a specified DBMS access procedura 

If the resulting string Y is a legal SQL statement 
(step 254), the SQL statement represented by string Y 20 
is executed and the results of that execution are 
returned to the client computer (step 258). 

Referring to Fig. 5, in an alternate embodiment of 
the invention, the modified DBMS access procedure 
206' used by trusted clients contains a main access pro- 25 
cedure 270 that constructs SQL statements to be sent 
to the information server, and an SQL statement 
encryption procedure 272 that encrypts the command 2. 
portion of the constructed SQL statement The main 
access procedure 270 then transmits a message that so 
• includes the encrypted command portion of the SQL 
statement and an unencrypted argument string, if the 
constructed SQL statement included any arguments. 
The advantage of this version of the modified DBMS 
access procedure 206' for trusted clients is that this pro- 35 
cedure can construct all possible SQL statements with- 
out having to store all such possible SQL statements as 
embedded encrypted strings as part of the procedure. 
The disadvantage of this version of the modified DBMS 
access procedure 206* for trusted clients is that it con- ao 
tains the encryption procedure, which could potentially 
be misused if a copy of the procedure fell into the pos- 
session of someone who wanted to breach the security 
of the information server. 

While the present invention has been described 45 
with reference to a few specific embodiments, the 
description is illustrative of the invention and is not to be 
construed as limiting the invention. Various modifica- 
tions may occur to those skilled in the art without 
departing from the true spirit and scope of the invention 50 3. 
as defined by the appended claims. 

Claims 

1. A distributed computer system, comprising: 55 

an information server, said information server 
including a database management system 
(DBMS) and a port for receiving and respond- 



ing to SQL statements; 

at least one client computer, coupled by a com- 
munication path to said information server; 
said one client computer including database 
access means for sending SQL statements to 
said DBMS in said information server; 
said database access means including a plu- 
rality of encrypted SQL statements embedded 
in said database access mean, said embedded 
encrypted SQL statements representing a pre- 
defined subset of a predefined full set of SQL 
statements recognized as legal SQL state- 
ments by said DBMS in said information 
server; each of said SQL statements sent by 
said database access means to said DBMS in 
said information server including a correspond- 
ing one of said encrypted SQL statements; and 
said information server including means for 
decoding said received SQL statements, 
including means for decoding said encrypted 
SQL statement included in each of said SQL 
statements sent by said database access 
means in said one dient computer, and means 
for rejecting received SQL statements that do 
not include an encrypted representation of a 
legal SQL statement 

The distributed computer system of daim 1 , 

at least one other client computer, coupled by a 
communication path to said information server; 
said other dient computer including other data- 
base access means for sending SQL state- 
ments to said DBMS in said information server; 
said other database access means including a 
second plurality of encrypted embedded SQL 
statements, representing a second predefined 
subset of said predefined full set of SQL state- 
ments recognized as legal SQL statements by 
said DBMS in said information server; each of 
said SQL statements sent by said other data- 
base access means to said DBMS in said infor- 
mation server induding a corresponding one of 
said second plurality of encrypted embedded 
SQL statements, wherein said second prede- 
fined subset is different from said predefined 
set of encrypted embedded SQL statement in 
said database access means. 

The distributed computer system of daim 1 , 

at least one trusted dient computer, coupled by 
a communication path to said information 
server; said trusted dient computer including 
trusted database access means for sending 
SQL statements to said DBMS in said informa- 
tion server, each sent SQL statement including 
a corresponding encrypted SQL statement and 
an argument string, wherein said trusted data- 
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. base access means includes means for send- 
ing all SQL statements Included in said 
predefined full set of SQL statements recog- 
nized as legal SQL statements by said DBMS 
in said information server. 5 

4. In a distributed computer system having an infor- 
mation server and a plurality of client computers 
coupled by a communication path to said informa- 
tion server, said information server including a data- i o 
base management system (DBMS) with a port for 
receiving and responding to SQL statements; a 
method of limiting access to said DBMS by at least 
some of said client computers, comprising: 

15 

sending SQL statements from at least one of 
said client computers to said DBMS in said 
information server, wherein the SQL state- 
ments are generated by executing a database 
access procedure in said at least one client 20 
computer, said database access procedure 
including a plurality of encrypted SQL state- 
ments embedded therein, said embedded 
encrypted SQL statements representing a pre- 
defined subset of a predefined full set of SQL 25 
statements recognized as legal SQL state- 
ments by said DBMS in said information 
server; each of said SQL statements gener- 
ated by said database access procedure 
including a corresponding one of said so 
encrypted embedded SQL statements; and 
in said information server, decoding said 
received SQL statements, including decoding 
said encrypted SQL statement included in 
each of said SQL statements sent by at said at 35 
least one client computer, and rejecting 
received SQL statements that do not include 
an encrypted SQL statement 

5. The method of claim 4, 40 



ferent from said predefined set of encrypted 
embedded SQL statement in said database 
access procedure. 

The method of claim 4, 

sending SQL statements from at least one 
trusted client computer to said DBMS in said 
information server; wherein the SQL state- 
ments sent said at least one trusted client com- 
puter are generated by executing a trusted 
database access procedure in said at least one 
trusted computer, each of said SQL statements 
generated by said trusted database access 
procedure inducfing a corresponding 
encrypted SQL statement and an argument 
string, wherein said trusted database access 
procedure includes instructions for generating 
all SQL statements included in said predefined 
full set of SQL statements recognized as legal 
SQL statements by said DBMS in said informa- 
tion server. 



sending SQL statements from at least one 
other client computer to said DBMS in said 
information server; wheren the SQL state- 
ments sent said other client computer are gen- 45 
erated by executing an other database access 
procedure in said at one other client computer; 
said other database access procedure includ- 
ing a second plurality of encrypted SQL state- 
ments embedded therein, said second plurality so 
of encrypted SQL statements representing a 
second predefined subset of said predefined 
full set of SQL statements recognized as legal 
SQL statements by said DBMS in said informa- 
tion server; each of said SQL statements gen- 55 
erated by said other database access including 
a corresponding one of said second plurality of 
encrypted embedded SQL statements, 
wherein said second predefined subset is dif- 
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